With the wide application of computers and the increasing popularity of networks, more and more threats come from inside and outside of the networks, resulting in occurrence of such problems as network resource abuse, network paralysis, and user private data leakage. In order to provide effective network security protection and prevent internal and external network attacks, security devices need to be deployed in the networks, for example, an IPS (Intrusion Prevention System, intrusion prevention system) , a firewall, and the like.
A signature feature scanning method is mainly adopted by current security devices to detect network attacks, viruses, worms, malicious software, and the like. By analyzing signature features of loopholes, viruses, worms, malicious software, and the like, researchers extract features to generate a signature feature library and publish the signature feature library. A security device loads signature rules according to a deployment scenario and its resource configuration, performs scanning detection according to the loaded signature rules to detect network attacks, viruses, worms, malicious software, and the like, and takes actions, for example, blocking, cleansing or alarming, against the detected attacks, viruses, worms, malicious software, and the like.
However, in the prior art, on one hand, due to CPU (Central Processing Unit, central processing unit) resource constraints and different deployment scenarios, the security device does not load all signature rules, but loads a part of the signature rules according to a configuration, and the configuration of signature rules is completely determined by an operator according to experience. On the other hand, signature rules loaded by different security devices in different industries in different areas are different, when a problem occurs, only security devices loading a corresponding signature rule are protected, while security devices not loading the corresponding signature rule are not protected. Therefore, a protection capability of security devices in the prior art is not ideal.